Two of four EAC commissioners lack security clearances

Editor's Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro's comprehensive policy intelligence coverage, policy tools and services, click here.

QUICK FIX

Story Continued Below

— Half of Election Assistance Commission members have limited access to classified information. It raises questions about how effectively it can communicate about election security threats.

— The EMP executive order issued last week could have cybersecurity ramifications. It might harden the electricity grid against hackers.

— A Georgia bill prevents the state from buying several popular models of voting machines, a report concludes. It has a “fundamental definitional problem.”

HAPPY MONDAY and welcome to Morning Cybersecurity! It’s been a pretty good NCAA tournament, right? Send your thoughts, feedback and especially tips to tstarks@politico.com, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

Driving the Day

EAC BLIND SPOT — Only half of the members of the Election Assistance Commission have security clearances, and none of them had clearances for the 2016 and 2018 election cycles, Eric reports. Thomas Hicks, who chaired the EAC in 2016 and 2018, and Donald Palmer, who joined the commission in February, lack them, while Christy McCormick, the agency’s current chairwoman, has an interim clearance. Benjamin Hovland, who also joined in February, has a full clearance. Then-Commissioner Matthew Masterson did not have one during the 2016 cycle.

“The people entrusted with securing our elections need to know what threats they’re supposed to address,” Sen. Ron Wyden told POLITICO in a statement. “An Election Assistance [Commission member] without a security clearance is like making a baseball player hit without a bat.” Read more here.

THE CYBER ANGLE ON THE EMP EO— The executive order President Donald Trump signed to defend against electromagnetic pulse attacks might bolster cyber defenses, too. Sam Feinberg, executive director of the think tank Helena, told MC that the EO could make an otherwise crippling cyberattack on the electricity grid reversible in days, if not hours. “If implemented, this EO will lead to physical hardening of the grid,” he said via email. “Happily, the kind of hardening needed to protect infrastructure against EMPs also provides protection against cyberattacks.”

“This is because the most damaging cyberattacks (like Stuxnet) permanently incapacitate physical infrastructure, rather than just temporarily switching them off,” he said. “To the extent that transformers, SCADA systems, and other physical grid systems are made resilient to the extremely high current being induced by EMPs, they will also become meaningfully more resilient to the most damaging and threatening types of cyberattacks — which aim, for example, to route abnormally high currents through transformer components and melt them.”

DO YOU EVEN EO, BRO? — The Trump administration’s long-awaited executive order that would ban Huawei products from the U.S. should be part of a larger strategy aimed at managing next-generation tech, wrote cyber expert James Lewis of theCenter for Strategic and International Studies. That larger strategy should include, among other things: support for Western telecom companies for research and development; an executive order on telecom supply chain security “that clearly lays out U.S. policy;” and a long-term plan with China to help it conform to international norms for trade and security. “China is not going away. It will always be powerful and the United States, working with its partners, must encourage and require change,” Lewis wrote.

OOPS! — A Georgia bill authorizing the state to buy new voting machines rules out several popular models, the OSET Institute, an election technology research group, said in a report published late last week. The bill (HB 316), which Gov. Brian Kemp is likely to sign soon, requires Georgia to buy a ballot-marking device that produces “voter verifiable” paper ballots displaying barcodes that are scanned and tallied. But, OSET said, “the vast majority” of BMDs do not count as “voter verifiable,” because they “do not allow voters to verify the same choice data that the voting system in fact uses to tabulate votes" — that is, the barcode is "not readable by the voter."

Georgia’s election office is already moving ahead with the RFP process,but as OSET pointed out, HB 316 preemptively disqualifies several of the vendors that may submit proposals — including Election Systems & Software and Dominion, two of the three largest firms. Those companies’ products tally the data in the barcode, which — if the BMD is hacked — could be different from the human-readable text that voters can check. “Excepting two commercial solutions, a voter cannot verify the choices that are used for counting with today’s BMDs,” OSET said. “Therefore, there is no way for the voter to verify what choices are actually being counted, and hence for the majority of solutions, the ballot cannot be said to be ‘verifiable’ by the voter.”

MULE-ER— South Korean authorities extradited a Ukrainian man whom the U.S. said ran an international money laundering operation abetted by cyber criminals that netted him nearly $3 million, the Justice Department announced late last week. The unsealed indictment states that Aleksandr Musienko employed overseas cyber criminals to target online bank accounts in the U.S. “belonging to a large number of individual and corporate victims.” Musienko, according to DoJ, lured “money mules” for his scheme. “Once Musienko had his network of money mules in place, Musienko then offered his money mule services to his cybercriminal partners to assist them in transferring stolen funds,” DoJ’s statement reads. “He directed his ‘money mules’ to use their own bank accounts to receive and then transfer proceeds from the compromised bank accounts overseas.”

RECENTLY ON PRO CYBERSECURITY— Attorney General William Barr said his department would release special counsel Robert Mueller’s full report by mid-April at the latest. … Switzerland suspended its internet voting pilot program due to “critical errors” found in its code. … U.S. and Chinese officials are making progress toward a trade agreement, the White House said. … Germany’s cybersecurity agency is talking with Huawei over a U.K. government report critical of the company’s security.

Follow us on Twitter

Follow Us

About The Author : Tim Starks

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.